New Rules Deployed

August 11th, 2023


Windows/Network Connection:

  1. Connection Initiated Via Certutil.EXE
  2. Equation Editor Network Connection
  3. Download a File with IMEWDBLD.exe
  4. Communication To

Windows/System or Application/Service Control Manager:

  1. Suspicious Service Installation Script
  2. Turla PNG Dropper Service
  3. CobaltStrike Service Installations – System
  4. Windows Defender Threat Detection Disabled – Service
  5. Service Installation
  6. Invoke-Obfuscation Obfuscated IEX Invocation – System
  7. Invoke-Obfuscation STDIN+ Launcher – System
  8. Invoke-Obfuscation VAR+ Launcher – System
  9. Anydesk Remote Access Software Service Installation
  10. Hacktool Service Registration or Execution

Drive Load:

  1. Usage Of Malicious POORTRY Signed Driver
  2. PowerShell Scripts Run by Services

Azure/Azure Active Directory:

  1. Member Added to Group – Azure AD
  2. Multiple Members Added To Group – Azure AD2

Windows/Image Load:

  1. Suspicious Unsigned Dbghelp-Dbgcore DLL Loaded
  2. PCRE.NET Package Image Load
  3. Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  4. Suspicious Interactive PowerShell as SYSTEM
  5. Suspicious Scheduled Task Write to System32 Tasks
  6. Suspicious Startup Folder Persistence


  1. UEFI Persistence Via Wpbbin – FileCreation
  2. WMI Persistence – Script Event Consumer File Write
  3. Creation of a WerFault.exe in Unusual Folder
  4. UAC Bypass Using Windows Media Player – File
  5. UAC Bypass Abusing Winsat Path Parsing – File
  6. Suspicious Interactive PowerShell as SYSTEM
  7. Suspicious Scheduled Task Write to System32 Tasks
  8. Suspicious Startup Folder Persistence
  9. NPPSpy Hacktool Usage
  10. Powerup Write Hijack DLL


  1. Fortigate Audit – System Changes Outside Working Hours

Windows/Process Creation:

  1. Certificate Exported Via Certutil.EXE
  2. Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  3. Findstr Suspicious ParentCommandLine
  4. Use NTFS Short Name in Image
  5. Sdclt Child Processes
  6. Potential UAC Bypass Via Sdclt.EXE


  1. Potential Registry Reconnaissance Via PowerShell Script
  2. PowerShell Set-Acl On Windows Folder – PsScript
  3. PowerShell Script Change Permission Via Set-Acl – PsScript

365 Defender:

  1. Collection – 365 Defender
  2. Defense Evasion – 365 Defender
  3. Ransomware – 365 Defender
  4. Credential Access – 365 Defender

Web Cache:

  1. Potential CVE-2303-36884 URL Request Pattern Traffic

Pulse Connect Secure@Pulse Secure:

  1. User Connected by VPN Outside Working Hours – Pulse Secure


  1. UAC Bypass via Sdclt

More to explorer

New Deployed Rules

NTFS:   1. Volume Shadow Copy Mount PowerShell Script   2. Code Executed Via Office Add-in XLL File   3. Potential Invoke-Mimikatz PowerShell Script   4.

New Deployed Rules

MSMQ:    1. MSMQ Corrupted Packet Encountered Network Share Object:    2. Protected Storage Service Access   3. Possible Impacket SecretDump Remote Activity

Sign up for our newsletter

Time to market

One-day SIEM integration